A path traversal flaw in Mautic 7’s campaign import feature allows an authenticated user with campaign:imports:create permission to extract ZIP files in a way that escapes the intended temporary directories and arbitrarily write PHP files to sensitive system paths. The vulnerability is rooted in several weaknesses: CWE-22 (Path Traversal), CWE-73 (Improper Handling of Untrusted Content), and CWE-98 (Improper File Path Validation), enabling arbitrary file writes. This capability can be used to overwrite critical configuration or cache files and ultimately achieve remote code execution as the web server user. The description explicitly states remote code execution, but it does not directly detail how confidentiality, integrity, or availability are affected; that assessment is inferred from the ability to modify or replace system files and execute arbitrary code.

The vulnerability affects all Mautic 7 installations that enable the campaign import feature. Any instance that grants import privileges to non‑administrator users is at risk. No specific sub‑version range is provided, so all Mautic 7 releases implementing this functionality could be impacted.

The CVSS score of 9.9 classifies the issue as critical. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, yet the lack of publicly documented mitigations and the nature of the flaw make it highly exploitable. An attacker must possess authenticated access with the campaign:imports:create permission, which is typically given to users with moderate privileges. Once the path traversal is achieved, the attacker can write malicious PHP files into protected directories, leading to immediate remote code execution under the web server context, and thereby potentially compromising the confidentiality, integrity, and availability of the affected system.